Zoom releases patch after report reveals flaw left Mac webcams exposed

Doris Richards
July 11, 2019

Zoom said that it had "no indication" that any of the millions of people who use its software had ever fallen victim to the software flaw, and said that it would be "readily apparent" if anyone had access to the camera because the video application is created to be the top window on a user's computer screen.

A serious new security vulnerability has been discovered in Zoom's Video Conferencing app that has left millions of Mac users exposed to a flaw that could allow any website they visit to turn on their FaceTime cameras without their permission. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process.

The idea that anyone can remotely activated your laptop's webcam will alarm many, and Zoom has responded and rushed out a patch for the app on Macs.

Of particular issue, Leitschuh found that even if a Mac user had uninstalled the Zoom client, a localhost web server would remain on the user's machine that re-installed the client without any interaction from the user beyond visiting a Web page.

The publication confirmed that the vulnerability works - clicking a link if you have previously installed the Zoom app will automatically join users to a conference call with your camera on.

"It took Zoom 10 days to confirm the vulnerability", wrote Leitschuh.

According to Zoom, updating will 'remove the local web server entirely'. It also allows users to manually uninstall Zoom using a menu option in the client software.

The update is not that indispensable since the app has already issued its patch, but this ensures that people running older Zoom releases won't be vulnerable as before.

'Once the update is complete, the local web server will be completely removed on that device'. Zoom clearly had not considered malicious uses - or, worse, had disregarded them - when they made a decision to remove this choice from the user, and appear to consider Zoom use, and presumably their revenue growth, more important than surveillance of users.

"What's unfortunate, invasive and a violation of trust is when the software seems ' uninstalled' but really isn't", he added.

Other reports by Iphone Fresh

Discuss This Article